Improper Argument Handling in AWS EFS CSI Driver
CVE-2026-6437

6.9MEDIUM

Key Information:

Vendor

Amazon

Status
Aws Efs Csi Driver
Vendor
CVE Published:
17 April 2026

What is CVE-2026-6437?

An improper neutralization of argument delimiters in the volume handling component of the AWS EFS CSI Driver prior to version 3.0.1 allows authenticated remote users possessing PersistentVolume creation permissions to exploit the system. This security flaw can enable the injection of arbitrary mount options through comma injection, potentially compromising system integrity and leading to unauthorized access or elevated privileges. Users are strongly recommended to upgrade to version 3.0.1 to mitigate this vulnerability and enhance their cloud infrastructure's security.

Affected Version(s)

AWS EFS CSI Driver 3.0.1

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/kubernetes-sigs/aws-efs-csi-driver/sec...
third-party-advisory
https://github.com/kubernetes-sigs/aws-efs-csi-driver/rel...
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.